Microsoft announced plans today to release four security bulletins as part of next week’s Patch Tuesday update, including one aimed at a critical vulnerability in Microsoft Word.

According to Microsoft, the Word vulnerability has been observed being exploited in attacks against Word 2010 users and can be leveraged to remotely execute code if the user opens a specially-crafted RTF file or previews that file in Microsoft Outlook using Word as the email viewer.

“The update provided through MS14-017 fully addresses the Microsoft Word issue first described in Security Advisory 2953095,” blogged Dustin Childs, group manager of response communications for Microsoft Trustworthy Computing. “This advisory also included a Fix it to disable opening rich-text format (RTF) files within Microsoft Word. Once the security update is applied, you should disable the Fix it to ensure RTF files will again render normally. At this time, we are still only aware of limited, targeted attacks directed at Microsoft Word 2010.”

The update will fix all affected versions, according to Childs.

The other ‘critical’ update will address Microsoft Windows and Internet Explorer. The remaining two bulletins have been classified as ‘important’ and are aimed at issues in Windows and Microsoft Office.

Tuesday’s patches will offer the last security updates for Windows XP and Office 2003, which both face end-of-life on April 8.

“Once support ends, computers still on Windows XP will become a very juicy target for Internet criminals and attackers,” blogged Patrick Thomas, security consultant Neohapsis.

“For those who really don’t want to or can’t upgrade, the situation isn’t pretty,” he continued. “Your computer will continue to work as it always has, but the security of your system and your data is entirely in your hands. These systems have been low-hanging fruit for attackers for a long time, but after April 8th they will have a giant neon bull’s-eye on them.”

“If pushing patches for these new vulnerabilities while working a migration plan for XP and Office 2003 users weren’t enough, administrators are still dealing with the fallout from the recent Pwn2Own competition, which revealed vulnerabilities in all of the major browsers and in Adobe’s Flash Player plug-in,” explained Russ Ernst, director product management at Lumension. “With security updates coming from so many sources this month, IT will be challenged to effectively prioritize their roll outs. The best thing to do is to maintain your patch process, and consider consolidating to a single allowed browser as part of your migration plan to the latest OS.”

Commercial source code is more compliant with security standards than open source code, according to the 2014 Coverity Scan Open Source Report published on Wednesday by Synopsys. read more SecurityWeek RSS Feed

A team of researchers from Austria and France have demonstrated what they claim to be the first remote software-induced hardware fault attack. They have found a way to exploit the “Rowhammer” vulnerability remotely by using JavaScript. read more SecurityWeek RSS Feed

Contrary to many headlines across the cyber realm, not all security incidents are a result of malicious intent. According to the results of a recent survey, 70 percent of U.S. survey respondents and 64 percent of German respondents said that more security incidents are caused by unintentional mistakes rather than intentional and/or malicious acts. read[…]

Fingerprint access controllers developed by Taiwan-based Chiyu Technology are plagued by a vulnerability that could allow hackers to make it easier to open the doors protected by these devices, a researcher has warned. read more SecurityWeek RSS Feed